In December the Positive Technologies researcher, Sergey Toshin, discovered a very dangerous vulnerability concerning Google’s Chromium browser, an engine that also runs the most popular Google Chrome. This vulnerability, if properly exploited, would have fed the hackers our personal data on our devices.
Upon learning of the bug, Google promptly solved the problem through security patches by disguising the fix as a high-severity vulnerability with ” insufficient policy enforcement “. Only after the official Positive Technologies report was the real problem communicated: the error concerned the WebView component of Android, which is commonly used to display pages in applications developed for the system with the green robot. The vulnerability existed within Google’s Chromium engine and was present in all Android versions ranging from 4.4 up to the next.
The hackers could have exploited the vulnerability by connecting users to a malicious instant application that allowed them to run a small file, thus giving them access to the smartphone’s hardware.
Once arrived at the hardware it would have been child’s play to intercept the data that the user exchanged with the applications on his phone. Leigh-Anne Galloway, head of IT security resilience at Positive Technologies, has expressed herself about:
” After an update containing a malicious payload, these applications could read the information from WebView. This allows access to the browser history, authentication tokens commonly used for accessing mobile apps and other important data. ”
Security patches have definitely fixed the bug; users running Android 7.0 or later must have updated their Google Chrome browser in January; otherwise, if your Android version is older than Nougat, you will need to update the WebView application via Google Play.